Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/06/2024, 23:27

General

  • Target

    5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe

  • Size

    4.0MB

  • MD5

    4118f91d13a805a48ed5c5d03ff52054

  • SHA1

    194ea8ee61af70fc98afece3f350e5440169f94c

  • SHA256

    5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2

  • SHA512

    8dcab827000a488caf2691e504426a562e5f2b5846a8d81371bae99caa9d24f5c101ecdace81bf514cc4e6587406c50b86d1aeda5f25b35912fff4a7a1b94f71

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpCbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
    "C:\Users\Admin\AppData\Local\Temp\5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2060
    • C:\AdobeE0\devdobec.exe
      C:\AdobeE0\devdobec.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AdobeE0\devdobec.exe

    Filesize

    4.0MB

    MD5

    3e3bdefe2236fdd881549f350b257c4a

    SHA1

    c07b94e3def90879fd8a31b187079f19900b3518

    SHA256

    e31088fd5c3e897e7e9202321a21056740eae5126f074784091a154d12d34488

    SHA512

    536e326518a86501c9ae3ff312af3aaa6b83d5fcecc844e6cf3a199ac042222560deda52b4a967a3919bfbf9810dc802050b38bfd5ae60ebfeedbdd1bbd8fb2e

  • C:\KaVBER\dobdevloc.exe

    Filesize

    1.7MB

    MD5

    cdd97b53b5ff1c4c91ddadde33a72d19

    SHA1

    e874795b48a2225d7a2708576fd4d0606378c736

    SHA256

    438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

    SHA512

    e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

  • C:\KaVBER\dobdevloc.exe

    Filesize

    4.0MB

    MD5

    3f6afcb754d180f568da1ba75a833e86

    SHA1

    4d13e61820ae0694f25fc85fb9a77cf2e83a7f11

    SHA256

    47e8cf813c66d4f29105bcbfad5fe1173fda27b525d51b1179c6174b4f0d5149

    SHA512

    e5c2f2e024a424fd6c24f9dd64ada749a090df670d5b26a0c55ea041a9efa979710a013229b8941e2ec56d88662b09d0920e3516ffc86d6e2f49baa100a57f65

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    32855409e02fe45e25e2db54268f2141

    SHA1

    b4583c99d59a6a4d1f38596a4f327f9d4a52f4a6

    SHA256

    af4bf2b8437287043cf6e9f57bf060ca247683751ae3fdb576422c6b437f8562

    SHA512

    9ecc4b3574b26bc2cbf8234ff2661389382960cf7e826f94e4cc2f0a1a64fb9d96d55acb62bd12ccb9ae3c8662c8f6029a437a1890ad9b62587a40854ab2465e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    15d5ccba2e83c78a824933bb4820efe8

    SHA1

    68cdbb253ba85648adabc96f78abf4ef3be1f317

    SHA256

    8eaa5f182388eee5f172d3270bda97f18d461412ff18636a1fcad9e416e634dd

    SHA512

    b8670b97e2c735744259c7e1eb4f78aae1d383b40dd95fc94978b3762a0b021e14ac822303f3f9243709a51b2770baf5a89aa5024ef5a1ba66cf72c3628c02bb

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

    Filesize

    4.0MB

    MD5

    368ea07137f249ec021ecea4c4e4bfe6

    SHA1

    f9e71f5c8712e92147ac2cfc7c52fb1d7bda8276

    SHA256

    351509666e1191b371a239a07e71ea6e7cde6fbfe028b3a042ea593c6adbc769

    SHA512

    27dfe24c0b60aee3579ef2979a8360388d1e5e5014a5630834d8bd25958b6219b6323ce41a69dbb7ec167b6f6a63eeafe72292e479632adc517ca31759f39c1d